The Real Cost of Insecure Software: The Foundation of Civilization

What to software and cement have in common? They're both everywhere! How do they differ? Cement has much better quality control. David Rice discusses the perilous state of software security in this introduction to his book, Geekonomics.

This chapter is from the book

This chapter is from the book

“The value of a thing sometimes lies not in what one attains with it, but in what one pays for it—what it costs us.”

—Frederick Nietzsche

For the city of London, 1854 was a dreadful year. An outbreak of cholera, the third in 20 years, claimed over ten thousand
lives. Six previous city Commissions failed to adequately address London’s growing sewage problem, leaving the entire metropolitan
area—more than one million people—subject to the vagaries of overflowing cesspools, ill-constructed sewers, contaminated groundwater,
and a dangerously polluted Thames River. Considering London was one of the most populated cities at the time and depended
heavily on the Thames River, inaction had unfortunate consequences. Sadly, thousands of deaths could not properly motivate
Parliament to overcome numerous bureaucratic and political obstacles required to address the crisis.

It was not until an inordinately hot summer in 1858 that the stench of the Thames so overwhelmed all those in close proximity
to the river—particularly members of Parliament, many of whom still believed cholera to be an airborne rather than a waterborne
pathogen—that resistance finally subsided. The “Great Stink” served as impetus to the largest civic works project London had
ever seen.1

For the next ten years, Joseph Bazalgette, Chief Engineer of the Metropolitan Board of Works, constructed London’s newer and
larger sewer network against imposing odds. Despite Parliament’s hard-won support and a remarkable design by Bazalgette himself,
building a new sewer network in an active and sprawling city raised significant technical and engineering challenges.

Most obvious among these challenges was excavating sewer lines while minimizing disruption to local businesses and the city’s
necessary daily activities. Less obvious, but no less important, was selecting contracting methods and building materials
for such an enormous project. Modern public works projects such as the California Aqueduct, the U.S. Interstate highway system,
or China’s Three Gorges Dam elicit images of enormous quantities of coordination and concrete. Initially, Bazalgette enjoyed
neither.

Selecting suitable building materials was an especially important engineering decision, one that Bazalgette did not take lightly.
Building materials needed to bear considerable strain from overhead traffic and buildings as well as survive prolonged exposure
to and immersion in water. Traditionally, engineers at the time would have selected Roman cement, a common and inexpensive
material used since the fourteenth century, to construct the extensive underground brickworks required for the new sewer system.
Roman cement gets its name from its extensive use by the Romans to construct the infrastructure for their republic and empire.
The “recipe” for Roman cement was lost during the Dark Ages only to be rediscovered during the Renaissance. This bit of history
aside, Bazalgette chose to avoid Roman cement for laying the sewer’s brickwork and instead opted in favor of a newer, stronger,
but more expensive type of cement called Portland cement.

Portland cement was invented in the kitchen of a British bricklayer named Joseph Aspdin in 1824. What Aspdin discovered during
his experimentation that the Romans did not (or were not aware of) was that by first heating some of the ingredients of cement—finely
ground limestone and clay—the silica in the clay bonded with the calcium in the limestone, creating a far more durable concrete,
one that chemically interacted with any aggregates such as stone or sand added to the cement mixture. Roman cement, in comparison,
does not chemically interact with aggregates and therefore simply holds them in suspension. This makes Roman cement weaker
in comparison to Portland cement but only in relative, not absolute terms. Many substantial Roman structures including roadways,
buildings, and seaports survived nearly 2,000 years to the present.

It is the chemical reaction discovered by Aspdin that gives Portland cement its amazing durability and strength over Roman
cement. This chemical reaction also gives Portland cement the interesting characteristic of gaining in strength with both
age and immersion in water.2 If traditional cement sets in one day, Portland cement will be more than four times as hard after a week and over eight times
as hard in five years.3 In choosing a material for such a massive and important project as the London sewer, Portland cement might have rightly appeared
to Bazalgette as the obvious choice. There was only one problem: Portland cement is unreliable if the production process varies
even slightly.

The strength and therefore the reliability of Portland cement is significantly diminished by what would appear to the average
observer as minuscule, almost trivial changes in mixture ratios, kiln temperature, or grinding process. In the mid-nineteenth
century, quality control processes were largely non-existent, and where they did exist were inconsistently employed—based
more on personal opinion rather than objective criteria. The “state of the art” in nineteenth century quality control meant
that while Portland cement was promising, it was a risky choice on the part of Bazalgette. To mitigate any inconsistencies
in producing Portland cement for the sewer project, Bazalgette created rigorous, objective, and some would say draconian testing
procedures to ensure each batch of Portland cement afforded the necessary resiliency and strength. His reputation as an engineer
and the success of the project depended on it.

Portland cement might have rightly appeared to Bazalgette as the obvious choice. There was only one problem: Portland cement
is unreliable if the production process varies even slightly.

Bazalgette enforced the following regimen: Delivered cement sat at the construction site for at least three weeks to acclimate
to local environmental conditions. After the elapsed time, samples were taken from every tenth sack and made into molds that
were immediately dropped into water where the concrete would remain for seven days. Afterward, samples were tested for strength.
If any sample failed to bear weight of at least five hundred pounds (more than twice that of Roman cement), the entire delivery was rejected.4 By 1865, more than 11,587 tests were conducted on 70,000 tons of cement for the southern section of the sewerage alone.5 Bazalgette’s testing methodology proved so thorough, the Metropolitan Board who oversaw the project eventually agreed to
Bazalgette’s request to construct sewers entirely from concrete. This not only decreased the time required to construct the
sewerage, but eliminated the considerable associated cost of the brickworks themselves.6

Once completed, Bazalgette’s sewer system saved hundreds of thousands of lives by preventing future cholera and typhoid epidemics.7 The sewer system also made the Thames one of the cleanest metropolitan rivers in the world and changed the face of river-side
London forever. By 1872, the Registrar-General’s Annual Report stated that the annual death rate in London was far below any
other major European, American, or Indian city, and at 3.3 million people (almost three times the population from the time
Bazalgette started his project), London was by far the largest city in the world. This state of affairs was unprecedented
for the time. By 1896 cholera was so rare in London, the Registrar-General classified cholera as an “exotic disease.” Bazalgette’s
sewer network, as well as the original cement used in its construction, remains in use to this day. Given that Portland cement
increases with strength over time, it is likely London’s sewer system will outlive even some of Rome’s longest standing architectural
accomplishments such as the aqueducts and the Pantheon.

Software and Cement

While Bazalgette’s design of the sewer network was certainly important, in hindsight the selection and qualification of Portland
cement was arguably the most critical aspect to the project’s success. Had Bazalgette not enforced strict quality control
on production of Portland cement, the outcome of the “Great Stink of London” might have been far different. Due to Bazalgette’s
efforts and the resounding success of the London sewer system, Portland cement progressed in a few short years from “promising
but risky” to the industry standard used in just about every major construction project from that time onward.

Portland cement’s popularity then, is due not just to its physical properties, but in large part to Bazalgette’s strict and
rigorous quality tests, which drastically reduced potential uncertainties associated with Portland cement’s production. At
present, more than 20 separate tests are used to ensure the quality of Portland cement, significantly more than Bazalgette
himself employed. World production of Portland cement exceeded two billion metric tons in 2005, with China accounting for
nearly half of that production followed closely by India and the United States.8 This works out to roughly 2.5 tons of cement for every person on the planet. Without Portland cement, much of modern civilization
as we know it, see it, live on it, and drive on it would fail to exist.

Cement is everywhere in modern civilization. Mixed with aggregates such as sand and stone, it forms concrete that comprises
roadways, bridges, tunnels, building foundations, walls, floors, airports, docks, dams, aqueducts, pipes, and the list goes
on. Cement is—quite literally—the foundation of modern civilization, creating the infrastructure that supports billions of
lives around the globe. One cannot live in modern civilization without touching, seeing, or relying on cement in one way or
another. Our very lives depend on cement, yet cement has proven so reliable due to strict quality controls that it has to
a large extent disappeared from our field of concerns—even though we are surrounded by it. Such is the legacy of Bazalgette’s
commitment to quality: We can live our lives without thinking twice about what is beneath our feet, or more importantly, what
may be above our head.

Civilization depends on infrastructure, and infrastructure depends, at least in part, on durable, reliable cement. Due to
its versatility, cost-effectiveness, and broad availability, cement has provided options in construction that could not otherwise
be attained with stone, wood, or steel alone. But since the 1950s, a new material has been slowly and unrelentingly injected
into modern infrastructure, one that is far more versatile, cost-effective, and widely available than cement could ever hope
to be. It also just so happens to be invisible and unvisualizable. In fact, it is not a material at all. It is software.

Like cement, software is everywhere in modern civilization. Software is in your mobile phone, on your home computer, in cars, airplanes, hospitals, businesses, public utilities, financial systems, and national defense systems. Software is an
increasingly critical component in the operation of infrastructures, cutting across almost every aspect of global, national,
social, and economic function. One cannot live in modern civilization without touching, being touched by, or depending on
software in one way or another.

Like cement, software is everywhere in modern civilization.

Software helps deliver oil to our cities, electricity to our homes, water to our crops, products to our markets, money to
our banks, and information to our minds. It allows us to share pictures, music, thoughts, and ideas with people we might meet
infrequently in person but will intimately know from a distance. Everything is becoming “smarter” because software is being
injected into just about every thing. Software has accelerated economic growth through the increased facilities of managing labor and capital with unprecedented
capacity. Hundreds of thousands of people if not millions owe their livelihoods to software. With its aid, we have discovered
new medicines, new oil fields, and new planets and it has given us new ways of visualizing old problems, thereby finding solutions
we might never have had the capacity, time, or ability to discover without it. With software we are able to build bridges
once thought impossible, create buildings once thought unrealistic, and explore regions of earth, space, and self once thought
unreachable.

Software has also given us the Internet, a massive world-wide network connecting all to all. In fact, connectedness in the
twenty-first century is primarily a manifestation of software. Software handles the protocols necessary for communication,
operates telecommunications equipment, bundles data for transmission, and routes messages to far-flung destinations as well
as giving function and feature to a dizzying array of devices. Software helps connect everything to everything else with the
network—the Internet—merely a by-product of its function. Without software, the network would be just a bunch of cables, just
as a human cell without DNA would be just a bunch of amino acids and proteins.

Software is everywhere; it is everywhere because software is the closest thing we have to a universal tool. It exhibits a radical malleability that
allows us to do with it what we will. Software itself is nothing more than a set of commands that tells a computer processor
(a microchip) what to do. Connect a microchip to a toy, and the toy becomes “smart;” connect a microchip to a car’s fuel injector,
and the car becomes more fuel efficient; connect it to a phone, and the phone becomes indispensable in life’s everyday affairs.
Connect a microchip to just about anything, and just about anything is possible because the software makes it so. Software
is the ghost in the machine, the DNA of technology; it is what gives things the appearance of intelligence when none can possibly exist.

The only aspect of software more impressive than software itself is the people that create software. Computer programmers,
also known as software developers or software engineers, write the instructions that tell computers what to do. Software developers
are in large part a collection of extremely talented and gifted individuals whose capacity to envision and implement algorithms
of extraordinary complexity and elegance gives us search engines, operating systems, word processors, instant messaging, mobile
networks, satellite navigation, smart cars, advanced medical imaging; the list goes on. As such, software is a human creation,
and as a human creation it is subject to the strengths and foibles of humanity. This is where the similarities of cement and
software become most interesting.

Software, like cement before it, is becoming the foundation of civilization. Our very lives are becoming more dependent on
and subject to software. As such, the properties of software matter greatly: quality, reliability, security, each by themselves
accomplish very little, but their absence faults everything else. Like Portland cement, software can be unreliable if production
processes vary even slightly. Whereas variations in kiln temperatures, mixture ratios, or grinding processes can detrimentally
affect the strength and durability of Portland cement after it has been poured, there are a host of similar, seemingly trivial
variations in producing software that can detrimentally affect its “strength” when “poured” into microchips. It is up to humans
to get the production process right.

Unlike Portland cement, for more than 50 years software of all types and function has been continuously released into the
stream of commerce, plagued by design and implementation defects that were largely detectable and preventable by manufacturers,
but were not. This has and does result in catastrophic accidents, significant financial losses, and even death. The trepidation
over insufficient software manufacturing practices extends back to the late 1960s when the North American Treaty Organization
(NATO) convened a panel of 50 experts to address the “software crisis.” While the panel did not provide any direct solutions,
the concept of a “software engineer” was developed as a means to more closely align software manufacturing with the engineering
discipline rather than artistic creativity. The intent, as far as we can tell, was to remove the “rule of thumb” in the production
of software and all the inconsistencies such approximation introduces. After 50 years, defining what actually constitutes
the principles and practice of software engineering has not progressed far. What is clear, however, is that the unfortunate
history of software blunders sullies the reputation of software in general and distorts the genius of software developers
in particular.

What is clear, however, is that the unfortunate history of software blunders sullies the reputation of software in general
and distorts the genius of software developers in particular.

Perhaps most frustrating is the inconsistent use of quality control measures by such a wide range of software manufacturers
for such an extended period of time. Software is infinitely more complex than cement to be sure, but complexity does not entirely
account for systemic, reoccurring software manufacturing defects. Quality control measures—even in the absence of a clear
definition for software engineering—have been and are available specifically to address problems with software production.

Software has its own modern-day equivalent of Joseph Bazalgette: his name is Watts Humphrey. Humphrey is a fellow and research
scientist at Carnegie Mellon University’s Software Engineering Institute (SEI) and is often called the “father of software
quality” having developed numerous methodologies since the 1980s for designing quality and reliability into software products. In 2005, President George W. Bush awarded Mr. Humphrey
the National Medal of Technology, the highest honor for innovation in the United States. The only problem in this story is
that a significant portion of software manufacturers around the world still largely ignore or only superficially implement
Humphrey’s guidance. As a result, the Software Engineering Institute noted at the beginning of the twenty-first century that
software was getting worse, not better. Such a proclamation augurs ill for civilization’s newest foundation.

But if software quality were the only issue, perhaps we could discount the problem of low-quality software simply on the basis
of “growing pains.” After all, at 50 years old, some might argue software is still a relatively new phenomenon and that such
failures in quality are understandable and even tolerable for such a young technology. When civil engineering was 50 years
old, for instance, the brick had not even been invented yet.9

Yet when civil engineering was 50 years old, the profession was not building and connecting global infrastructure. Software’s
newness has not precluded it from being injected into nearly every aspect of modern civilization. That software connects everything
to everything else magnifies even the smallest foibles in software production. This introduces a critical aspect of software
vastly different from weaknesses in traditional building materials: once interconnected, even the smallest piece of insecure
software may have global consequences. New or not, software needs to be worthy of its place.

Weaknesses or defects in software can not only result in a given software application failing for one reason or another (including
no reason), but software defects can potentially be exploited by hackers, who, discovering or knowing the weakness exists,
may use it to surreptitiously access and control a system from a continent away, stealing sensitive personal information such
as credit cards or social security numbers or absconding with trade secrets or intellectual property. Such weaknesses could
also be used to hijack computer systems and then turn those systems against their owners or against other nations and other
peoples. In the end, insecure software is right now resulting in economic and social costs that are now well into billions of dollars per year with no sign of abatement. The
trend is disturbing.

Understanding why this situation persists and seems to be only getting worse has important implications for modern civilization.
In other words, new or not, society inevitably demands any technology used in the foundation of civilization, whether cement
or software, should be given the time and attention foundations deserve. Bazalgette and his legacy expected no less; nor should
we.